The cost of data breaches in SA

Jun 28, 2017

IBM Security has announced the results of a South African study exploring the implications and effects of data breaches on businesses.

Sponsored by IBM Security and conducted by Ponemon Institute, the study found that the average cost of a data breach in South Africa is R32,36-million, a 12% increase since 2016. According to the study, these data breaches cost companies on average R1 632 ($124) per lost or stolen record.

This year’s annual study was conducted in 11 countries and two regions: The United States, Germany, Canada, France, the United Kingdom, Italy, Japan, Australia, the Middle East (Saudi Arabia and the UAE combined), Brazil, India, ASEAN (Association of Southeast Asian Nations) as well as South Africa. When compared to other markets, organisations in South Africa saw an average cost of a data breach at R32.36-million, have direct per capita cost of R809 ($62,5) and are amongst the markets that spend R8.07-million on post data breach response.

The 2017 Cost of Data Breach report also revealed that malicious or criminal attacks are the most frequent cause of a data breach in South Africa. Forty-seven percent of incidents involved data theft or criminal misuse. These types of incidents cost companies R1,903 ($147) per compromised record, compared to R1,425 ($110.2) and R1,432 ($110.8) per compromised record as a result of a breach caused by a system glitch or employee negligence, respectively.

Top factors that contributed to the increase of cost of a data breach in South Africa include compliance failures and the extensive use of mobile platforms. Companies reported that compliance failures and the extensive use of mobile platforms increased the cost of each compromised record by R79 ($6.1) and R90 ($6.9), respectively.

“Data protection continues to be a challenge as businesses hold more and more sensitive information, pushing cyber security higher up the agenda,” says Sheldon Hand, Security Business Unit Leader South Africa. “According to the study, malicious or cyberattacks are a major cause of data breaches in South Africa. Such attacks are financially damaging and present great threat to the reputation of organisations. It is important to start looking at security hygiene measures as an opportunity to avoid falling victim to the next big security threat rather than a nuisance.”

Time Is Money: Containing Data Breaches

The study found that having an Incident Response (IR) Team in place significantly reduced the cost of a data breach to R1,494 ($115.5) per compromised record. In contrast, a third-party error increased the cost to R1,763 ($136.3) per compromised record. The speed at which a breach can be identified and contained is in large part due to the use of an IR team and having a formal Incident Response plan. IR teams can assist organisations to navigate the complicated aspects of containing a data breach to mitigate further losses.

According to the study, how quickly an organisation can contain data breach incidents have a direct impact on financial consequences. The cost of a data breach was nearly R5-million lower on average for organisations that were able to contain a data breach in less than 30 days compared to those that took longer than 30 days.

With such significant cost savings in mind, the study revealed there’s room for improvement with organisations when it comes to the time to identify and respond to a breach. On average, organisations in South Africa took 155 days to identify a breach, and 44 additional days to contain a breach once discovered.

Additional Key Findings from 2017 Cost of a Data Breach Report in South Africa

• By Industry, Services, Financial Services and Technology Breaches Most Costly: In South Africa, financial, services and industrial companies have topped the list as the most expensive industry for data breaches, costing organisations over R1,632 ($126.2) per compromised record.
• Top Factors Reducing Cost of a Breach: In South Africa, the appointment of a Certified Protection Officer (CPO) has shown the most impact on reducing the cost of a data breach. The appointment of a CPO and the use of security analytics resulted in a R20 ($1,5) and R41 ($3,1) reduction in cost per lost or stolen record, respectively.

Uncovering the Cost of a Data Breach

The annual Cost of Data Breach study examines both direct and indirect costs to companies in dealing with a single data breach incident. Through in-depth interviews with more than 410 companies in 13 countries or regions, the study factors in costs associated with breach response activities, as well as reputational damage and the cost of lost business.

“Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” says Dr Larry Ponemon. “Year-over-year we see the tremendous cost burden that organisations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organisation’s overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services.”